EA Origin had a vulnerability that left 300 million players potentially exposed

The security flaw would have let hackers take over people’s account without needing to steal a login and password.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
2 min read

EA Origin hosts games like NBA Live and Battlefield. Security researchers found a vulnerability that could have easily allowed for account takeovers.


EA had to step up its game after researchers found an EA Origin vulnerability that could have exposed millions of people to account takeovers. The flaw exposed more than 300 million players on popular online games such as Battlefield, Madden NFL, NBA Live and FIFA, according to security researchers from Check Point and CyberInt.

"EA's Origin platform is hugely popular, and if left unpatched, these flaws would have enabled hackers to hijack and exploit millions of users' accounts," Oded Vanunu, head of products vulnerability research for Check Point, said in a statement Wednesday. 

The security flaw would have allowed hackers to hijack people's accounts without stealing their login or passwords. That's because it would steal a Single Sign-On authorization token instead, which could give complete control for hackers. Access tokens are an authentication method similar to passwords, as codes generated by services to keep you logged in. 

They're harder to steal than passwords but still possible, as a similar vulnerability with Fortnite and Facebook demonstrated. As people become more aware of entering their passwords on suspicious websites, hackers have turned to stealing access tokens instead, which can be done in the background without any user participation. 

The security researchers were able to take control of an EA subdomain, under the URL "eaplayinvite.ea.com," which was an inactive domain hosted on Microsoft's Azure cloud service. CyberInt and Check Point's researchers successfully requested to take over the inactive domain from Microsoft Azure and turned the page into a phishing trap. 

They could send the malicious page to players, and since it was an EA domain, victims would be more likely to trust the link, researchers said. The hijacked page had code embedded that would take access tokens intended for EA and direct it toward the researchers instead. 

"We had the vulnerabilities under control so no other party could have exploited them during the period it took EA to fix," Alexander Peleg, CyberInt's head of cyber operations, said in an email.

The researchers could then use that to log into the victims' accounts. CyberInt and Check Point said they reached out to EA to fix the flaw on Feb. 19, and the company said it fixed the issue within three weeks. 

"Protecting our players is our priority," Adrian Stone, EA's director of game and platform security, said in a statement provided by the security researchers. "As a result of the report from CyberInt and Check Point, we engaged our product security response process to remediate the reported issues."

EA didn't respond to a request for additional comment.